Principles of Computer 
Security: CompTIA 
Security+™ and Beyond 


Second Edition 


Wm. Arthur Conklin 
Gregory White 
Dwayne Williams 
Roger Davis 
Chuck Cothren 



New York Chicago San Francisco 
Lisbon London Madrid Mexico City Milan 
New Delhi San Juan Seoul Singapore Sydney Toronto 





CONTENTS AT A GLANCE 


Chapter I 

Introduction and Security Trends I 

Chapter 2 

General Security Concepts 20 

Chapter 3 

Operational and Organizational Security 50 

Chapter 4 

The Role of People in Security 66 

Chapter 5 

Cryptography 82 

Chapter 6 

Public Key Infrastructure 114 

Chapter 7 

Standards and Protocols 152 

Chapter 8 

Physical Security 178 

Chapter 9 

Network Fundamentals 204 

Chapter 10 

Infrastructure Security 228 


Chapter I I Authentication and Remote Access 260 


Chapter 12 

Wireless Security 294 

Chapter 13 

Intrusion Detection Systems and 

Network Security 3 18 

Chapter 14 

Baselines 358 


Contents at a Glance 



Chapter 15 

Types of Attacks and Malicious Software 388 

Chapter 16 

E-Mail and Instant Messaging 420 

Chapter 17 

Web Components 444 

Chapter 18 

Secure Software Development 474 

Chapter 19 

Disaster Recovery, Business Continuity, and 
Organizational Policies 492 

Chapter 20 

Risk Management 524 

Chapter 21 

Change Management 544 

Chapter 22 

Privilege Management 560 

Chapter 23 

Computer Forensics 580 

Chapter 24 

Legal Issues and Ethics 596 

Chapter 25 

Privacy 618 

Appendix A 

Objectives Map: CompTIA Security+ 640 

Appendix B 

About the CD 648 

Glossary 650 


Index 664 





CONTENTS 


Preface xxi 

Introduction. xxiii 

CompTIA Authorized Quality Curriculum. . xxvi 
Instructor and Student Web Site xxvii 


Chapter I 

Introduction and Security Trends I 


The Security Problem.1 

Security Incidents .1 

Threats to Security . 7 

Security Trends . 10 

Avenues of Attack 11 

The Steps in an Attack . 12 

Minimizing Possible AvenuesofAtlack .... 13 

Types of Attacks . 14 

Chapter 1 Review.15 


Chapter 2 

General Security Concepts 20 

Basic Security Terminology 21 

Security Basics 21 

Access Control .31 

Authentication .31 

Authentication and Access 

Control Policies 32 

Social Engineering.33 

Security Policies.34 

Change Management Policy . 35 

Classification of Information 36 

Acceptable Use Policy 36 

Due Care and Due Diligence 38 

Due Process ' 38 

Need to Know . 39 

Disposal and Destruction Policy. 39 

Sendee Level Agreements 40 

Human Resources Policies 40 

Security Models.42 

Confidentiality Models . 42 

Integrity Models . 43 

Chapter 2 Review.46 


Chapter 3 

Operational and Organizational 
Security 50 

Security Operations in Your Organization .... 51 

Policies, Procedures, Standards, 

and Guidelines .51 

The Security Perimeter 52 

Physical Security.53 

Access Controls . 54 

Physical Barriers . 56 

Environmental Issues 56 

Fire Suppression .57 

Wireless.58 

Electromagnetic Eavesdropping 59 

Location.60 

Chapter 3 Review.62 


Chapter 4 

The Role of People in Security 66 

People—A Security Problem.67 

Social Engineering 67 

Poor Security Practices .71 

People as a Security Tool 76 

Security Awareness . 76 

Individual User Responsibilities . 77 

Chapter 4 Review.78 


Chapter 5 

Cryptography 82 


Algorithms.84 

Hashing Functions.87 

SHA .88 

Message Digest 90 

Hashing Summary . 91 

Symmetric Encryption.91 

DES . 92 

3DES .93 

AES. .94 

CAST 95 


xrv 


Contents 













































RC . 

Blowfish . 

IDEA 

Symmetric Encryption Summary. 

Asymmetric Encryption. 

RSA 

Diffie-Hellman . 

ElGamal . 

ECC. 

Asymmetric Encryption Summary. 
Steganography 

Cryptography Algorithm Use 
Confidentiality 

Integrity . 

Nonrepudiation 

Authentication . 

Key Escrow . 

Digital Signatures . 

Digital Rights Management 
Cryptographic Applications. 
Chapter 5 Review. 


95 

97 

97 

97 

98 

98 

99 

100 
100 
101 
101 
103 
.104 
.104 
.104 

105 
.105 

106 
.107 
108 
110 


Chapter 6 

Public Key Infrastructure I 14 

The Basics of Public Key Infrastructures 115 

Certificate Authorities.117 

Registration Authorities 118 

Local Registration Authorities . 120 

Certificate Repositories 120 

Trust and Certificate Verification 121 

Digital Certificates.124 

Certificate Attributes 125 

Certificate Extensions . 126 

Certificate Lifecycles . 127 

Centralized and Decentralized 

Infrastructures 132 

Hardware Storage Devices 133 

Private Key Protection . 134 

Key Recovery 135 

Key Escrow . 136 

Public Certificate Authorities 137 

In-House Certificate Authorities.138 

Choosing Between a Public CA 

and an In-House CA 138 

Outsourced Certificate Authorities 139 

Tying Different PKIs Together . 140 

I'rus i Models .'. 140 


Certificate-Based Threats 145 

Chapter 6 Review.147 


Chapter 7 

Standards and Protocols 152 

PKTXandPKCS 154 

PK1X Standards 155 

PKCS .156 

Why You Meed to Know the PKIX 

and PKCS Standards .158 

X.509.160 

SSL/TLS.161 

ISAKMP.162 

CMP.163 

XKMS.164 

S/MIME.166 

IETF S/MIME History. 166 

IETF S/MIME v3 Specifications .167 

PGP.168 

How PGP Works .168 

HTTPS.169 

IPsec.170 

CEP.170 

FIPS.170 

Common Criteria for Information Technology 

Security (Common Criteria or CC) 171 

WTLS.171 

PPTP 172 

WEP.172 

WEP Security Issues . 172 

ISO/IEC 27002 (Formerly ISO 17799) 173 

Chapter 7 Review.174 


Chapter 8 

Physical Security 178 

The Security Problem.179 

Physical Security Safeguards 183 

Walls and Guards . 183 

Policies and Procedures 184 

Access Controls and Monitoring 188 

En 'oironmental Controls 191 

Fire Suppression . 191 

Authentication . 195 

Chapter 8 Review.200 


Contents 


XV 






























































Chapter 9 

Network Fundamentals 204 

Network Architectures.205 

Network Topology 206 

Network Protocols.207 

Packets .209 

TCP us. UDP 210 

ICMP .211 

Packet Delivery.213 

Local Packet Delivery .213 

Remote Packet Delivery 214 

IP Addresses and Subletting 215 

Network Address Translation .217 

Security Zones .218 

VLANs. .222 

Tunneling.223 

Chapter 9 Review.224 


Chapter 10 

Infrastructure Security 228 

Devices.229 

Workstations. .229 

Servers . 231 

Visualization. . 232 

Network Interface Cards . 232 

Hubs . 233 

Bridges . 233 

Switches . 234 

Routers . 235 

Firewalls . 236 

Wireless . 238 

Modems . 239 

Telecom/PBX . 240 

VPN . 241 

Intrusion Detection Systems 241 

Network Access Control . 242 

Network Mon itoring/Diagnostic . 242 

Mobile Devices . 244 

Device Security, Common Concerns 244 

Media.'.245 

Coaxial Cable . 245 

UTP/STP . 245 

Fiber . 247 

Unguided Media . 248 

Security Concerns for Transmission Media . . . 249 
Physical Security Concerns 249 

Removable Media.250 

Magnetic Media . 251 

Optical Media . 253 


Electronic Media .254 

Network Attached Storage .255 

Chapter 10 Review.256 


Chapter I I 

Authentication and Remote Access 260 


The Remote Access Process.261 

Identification .262 

Authentication .262 

Authorization .267 

Access Control .268 

IEEE802.1X 270 

Wireless Protocols .271 

RADIUS.271 

RAD/US Authentication .272 

RADIUS Authorization 273 

RADIUS Accounting 273 

Diameter .274 

TACACS+.274 

TACACS+ Authentication .275 

TACACS+ Authorization .276 

TACACS+ Accounting .276 

Authentication Protocols 277 

L2TP and PPTP 277 

PPP .277 

PPTP 278 

LAP .279 

CHAP .279 

NTLM.280 

PAP .280 

L2TP 280 

Telnet .281 

SSII .281 

VPNs.283 

IPsec.284 

Security Associations .284 

IPsec Configurations .285 

IPsec Security 286 

Vulnerabilities of Remote Access Methods . . . 288 
Connection Summary 289 

Chapter 11 Review.290 


Chapter 12 

Wireless Security 294 

Introduction to Wireless Networking.295 

Mobile Phones 296 

WAP 298 

3G Mobile Networks 300 


XVI 


Contents 











































































Bluetooth. 

802.11. 

802.11: Individual Standards 

Attacking 802.11 . 

New Security Protocols . 

Implementing 802.1 X. 

Chapter 12 Review. 

Chapter 13 

„ Intrusion Detection Systems and 
Network Security 3 18 

History of Intrusion 

Detection Systems. 

IDS Overview. 

Network-Based IDSs. 

Advantages of a NIDS 

Disadvantages of a NIDS 

Active vs. Passive NIDSs . 

Signatures. 

False Positives and False Negatives. 

IDS Models 
Firewalls 

How Do Firewalls Work? . 

Intrusion Prevention Systems 
Proxy Servers 

Internet Content Filters. 

Protocol Analyzers. 

Honeypots and Honeynets. 

Host-Based IDSs 

Advantages ofHIDSs 
Disadvantages ofHIDSs 

Active vs. Passive HIDSs . 

Resurgence and Advancement ofHIDSs 
PC-Based Malware Protection 
Antivirus Products 
Personal Software Firewalls 
Pop-up Blockers 
Windows Defender. 

Antispam. . 

Chapter 13 Review 


Chapter 14 
Baselines 358 

Overview of Baselines 
Password Selection 


Operating System and Network 

Operating System Hardening.360 

Hardening Microsoft Operating Systems . . . 361 

Hardening UNIX- or Linux-Based 

Operating Systems .364 

Updates (a.k.a. Hotfixes, 

Sendee Packs, and Patches) .373 

Network Hardening 375 

Software Updates .376 

Device Configuration 376 

Application Hardening 377 

Application Patches. .377 

Patch Management .378 

Group Policies 380 

Security Templates.382 

Chapter 14 Review.384 


Chapter 15 

Types of Attacks and Malicious 
Software 388 

Avenues of Attack.389 

The Steps in an Attack. 389 

Minimizing Possible Avenues of Attack .... 391 

Attacking Computer Systems 

and Networks . . "..392 

Denial-of-Sen’ice Attacks .392 

Backdoors and Trapdoors .395 

Null Sessions .395 

Sniffing .396 

Spoofing .397 

Man-in-the-Middle Attacks 400 

Replay Attacks .400 

TCP/IP Hijacking 401 

Drive-by Download Attacks 401 

Phishing and Pharming Attacks 401 

Attacks on Encryption .402 

Address System Attacks .403 

Password Guessing .404 

Software Exploitation .405 

Malicious Code .406 

Malware Defenses .412 

War-Dialing and War-Driving 413 

Social Engineering 414 

Auditing.414 

Chapter 15 Review.416 


300 

302 

304 

306 

310 

311 

314 

319 

320 

322 

326 

326 

326 

.327 

.328 

329 

329 

.331 

.333 

.334 

336 

336 

.338 

.340 

.343 

.344 

.345 

345 

.346 

.346 

.349 

.350 

.351 

.353 

.354 

359 

359 


Contents 


XVII 






























































Chapter 16 

E-Mail and Instant Messaging 420 


Security of E-Mail.421 

Malicious Code 423 

HoaxE-Mails.427 

Unsolicited Commercial E-Mail (Spam) 428 

Mail Encryption 431 

S/MIME .432 

PGP .433 

Instant Messaging.435 

Chapter 16 Review.440 


Chapter 17 

Web Components 444 

Current Web Components and Concerns .... 445 

Web Protocols.445 

Encryption (SSL and TLS) .446 

The Web (HTTP and EITTPS) 452 

Directory Sendees (DAP and LDAP) 453 

File Transfer (FTP and SFTP) .454 

Vulnerabilities .455 

Code-Based Vulnerabilities.455 

Buffer Overflows .456 

Java and JavaScript .457 

ActiveX .459 

Securing the Browser .460 

CGI ..461 

Sen’er-Side Scripts 461 

Cookies .462 

Signed Applets .464 

Bnrwser Plug-ins .465 

Application-Based Weaknesses 467 

Open Vulnerability and Assessment 

Language (OVAL) .468 

Web 2.0 and Security .468 

Chapter 17 Review.470 


Chapter 18 

Secure Software Development 474 


The Software Engineering Process 475 

Process Models .475 

Secure Development Lifeci/cle 476 

Threat Modeling Steps 478 

Chapter 18 Review.488 


Chapter 19 

Disaster Recovery, Business Continuity, 


and Organizational Policies 492 

Disaster Recovery.493 

Disaster Recovery Plans/Process 493 

Backups . . . \ 495 

Utilities. .502 

Secure Recovery 502 

Cloud Computing .503 

High Availability and Fault Tolerance .... 503 

Computer Incident Response Teams 505 

Test, Exercise, and Rehearse 505 

Policies and Procedures.506 

Security Policies .507 

Privacy .513 

Sendee Level Agreements 513 

Human Resources Policies 513 

Code of Ethics .515 

Incident Response Policies 

and Procedures 516 

Chapter 19 Review 520 


Chapter 20 

Risk Management 524 

An Overview of Risk Management 525 

Example of Risk Management at 

the International Banking Level 525 

Risk Management Vocabulary 526 

What Is Risk Management? 527 

Business Risks.528 

Examples of Business Risks 528 

Examples of Technology Risks 529 

Risk Management Models.529 

General Risk Management Mode! 529 

Software Engineering Institute Model .... 532 

Model Application .533 

Qualitatively Assessing Risk 533 

Quantitatively Assessing Risk.535 

Adding Objectivity to 

a Qualitative Assessment .535 

A Common Objective Approach .536 

Qualitative vs. Quantitative 

Risk Assessment.537 

Tools.538 

Chapter 20 Review 539 


Contents 
























































Chapter 21 

Change Management 544 

Why Change Management?.545 

The Key Concept: Separation of Duties.547 

Elements of Change Management.548 

Implementing Change Management.550 

The Purpose of a Change Control Board ,,,. 5 51 

Code Integrity .553 

The Capability Maturity Model Integration . . . 553 
Chapter 21 Review.555 


Chapter 22 

Privilege Management 560 

User, Group, and Role Management.561 

User. .561 

Group .563 

Role .564 

Password Policies.564 

Domain Password Policy .565 

Single Sign-On.567 

Time of Day Restrictions .568 

Tokens .568 

Account and Passxvord Expiration .569 

Security Controls and Permissions.570 

Access Control Lists .571 

Handling Access Control 

(MAC, DAC, and RBAC).573 

Mandatory Access Control (MAC) .573 

Discretionary Access Control (DAC) .574 

Role-Based Access Control (RBAC) .575 

Rule-Based Access Control (RBAC) .575 

Chapter 22 Review.576 


Chapter 23 

Computer Forensics 580 


Evidence.582 

Standards for Evidence .582 

Types of Evidence .582 

Three Rules Regarding Evidence .583 

Collecting Evidence.583 

Acquiring Evidence .583 

Identifying Evidence .585 

Protecting Evidence .585 

Transporting Ei'idence .586 

Storing Evidence .586 

Conducting the Investigation .586 

Chain of Custody.587 

Free Space vs. Slack Space.588 

Free Space .588 

Slack Space .588 


Message Digest and Hash.588 

Analysis.589 

Chapter 23 Review.591 


Chapter 24 

Legal Issues and Ethics 596 

Cybercrime.597 

Common Internet Crime Schemes .599 

Sources of Laws 600 

Computer Trespass 600 

Significant LI.S. Laws 601 

Payment Card Industry Data 

Security Standard (PCI DSS) .604 

Import/Export Encryption Restrictions .... 605 

Non-U.S.Laws .607 

Digital Signature Laws .607 

Digital Rights Management. .609 

Ethics A . . ’.611 

SANS Institute IT Code of Ethics 1 .612 

Chapter 24 Review.614 

Essay Quiz ..617 


Chapter 25 
Privacy 618 

Personally Identifiable 

Information (PIT) .619 

Sensitive Pll .620 

Notice, Choice, and Consent 620 

U.S. Privacy Laws.620 

Privacy Act of 1974 621 

Freedom of Information Act (FOIA) 621 

Family Education Records 

and Privacy Act (FERPA) 622 

U.S. Computer Fraud and Abuse 

Act(CFAA) .622 

U.S. Children's Online Privacy 

Protection Act (COPPA) '. .623 

Video Privacy Protection Act (VPPA) .... 623 

Health Insurance Portability 

& Accountability Act (HIPAA). . 624 

Gramm-Leach-Bliley Act ( GLBA) .625 

California Senate Bill 1386 (SB 1386) .625 

U.S. Banking Rules and Regulations .625 

Payment Card Industry Data 

Security Standard (PCI DSS) .626 

Fair Credit Reporting Act (FCRA) .627 

Fair and Accurate Credit 

Transactions Act (FACTA) .627 

Non-Federal Privacy Concerns 

in the United States.628 


Contents 


XIX 



















































International Privacy Laws 629 

OECD Fair Information Practices 629 

European Laws .629 

Canadian Laws 631 

Asian Laws .631 

Privacy-Enhancing Technologies 632 

Privacy Policies.632 

Privacy Impact Assessment .633 

Web Privacy Issues.634 

Platform for Privacy Preferences 

Project (PSP) 634 

A ••) sr,. 

Chapter 25 Review 636 

Appendix A 

Objectives Map: CompTIA 
Security+ 640 


Appendix B 

About the CD 648 


System p e q u l remen f s 648 

LearnKey Online Training 648 

Installing and Running MasterExam 648 

MasterExam ..648 

Electronic Book.649 

Help 649 

Removing Installation(s) 649 

Technical Support 649 

LearnKey Technical Support 649 


I Glossary 650 
I Index 664 


XX- 


Contents 



















